Fortinet black logo

Handbook

Controlling access with a MAC ACL

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:328923
Download PDF

Controlling access with a MAC ACL

A MAC access control list (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies.

A MAC ACL functions as either a list of devices to block, allowing all other devices, or a list of devices to allow, blocking all other devices.

Allowed devices are assigned an IP address. The assign IP address action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

The Unknown MAC Address entry applies to "other" unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

To create a MAC ACL to allow only specific devices
  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced.DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.
  4. In the IP or Action column, select one of:

    • Assign IP — device is assigned an IP address from the DHCP server address range.
    • Reserve IP — device is assigned the IP address that you specify.
  5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each additional MAC address entry.
  6. Set the Unknown MAC Address entry IP or Action to Block.Devices not in the list will be blocked.
  7. Select OK.
To create a MAC ACL to block specific devices
  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.
  4. In the IP or Action column, select Block.
  5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each device that must be blocked.
  6. Set the Unknown MAC Address entry IP or Action to Assign IP.Devices not in the list will be assigned IP addresses.
  7. Select OK.

MAC authentication bypass

MAC authentication bypass (MAB) allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAB is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface

edit "lan"

set ip 10.0.0.200 255.255.255.0

set vlanforward enable

set security-mode 802.1X

set security-mac-auth-bypass enable

set security-groups "Radius-group"

end

end

MAB is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap

edit "office-ssid"

set security wpa2-only-enterprise

set auth usergroup

set usergroup "staff"

set radius-mac-auth enable

set radius-mac-auth-server "ourRadius"

end

end

Controlling access with a MAC ACL

A MAC access control list (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies.

A MAC ACL functions as either a list of devices to block, allowing all other devices, or a list of devices to allow, blocking all other devices.

Allowed devices are assigned an IP address. The assign IP address action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

The Unknown MAC Address entry applies to "other" unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

To create a MAC ACL to allow only specific devices
  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced.DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.
  4. In the IP or Action column, select one of:

    • Assign IP — device is assigned an IP address from the DHCP server address range.
    • Reserve IP — device is assigned the IP address that you specify.
  5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each additional MAC address entry.
  6. Set the Unknown MAC Address entry IP or Action to Block.Devices not in the list will be blocked.
  7. Select OK.
To create a MAC ACL to block specific devices
  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.
  4. In the IP or Action column, select Block.
  5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each device that must be blocked.
  6. Set the Unknown MAC Address entry IP or Action to Assign IP.Devices not in the list will be assigned IP addresses.
  7. Select OK.

MAC authentication bypass

MAC authentication bypass (MAB) allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAB is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface

edit "lan"

set ip 10.0.0.200 255.255.255.0

set vlanforward enable

set security-mode 802.1X

set security-mac-auth-bypass enable

set security-groups "Radius-group"

end

end

MAB is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap

edit "office-ssid"

set security wpa2-only-enterprise

set auth usergroup

set usergroup "staff"

set radius-mac-auth enable

set radius-mac-auth-server "ourRadius"

end

end